API keys, webhook signatures, and tenant isolation.
24 bytes of cryptographic randomness, base64url-encoded with prefix crk_. Hashed with SHA-256 at rest. Plaintext shown once on creation, never logged. Rotate via POST https://api.crawlcrawl.com/v1/keys/rotate.
Deliveries include X-Crawler-Signature: sha256=<hex> — HMAC-SHA256 of the raw body, keyed by your project's webhook secret. Fetch the secret with GET https://api.crawlcrawl.com/v1/webhook/secret. Verify on your side; reject unsigned requests.
TLS 1.2 or higher. HSTS enabled. Cipher suites managed by our edge provider; weak ciphers disabled.
Multi-tenant by project_id. Project A cannot access project B's crawl runs, pages, links, or other resources. Verified via integration tests on every release.
Every action against your project (key rotation, crawl creation, monitor edits) is recorded with timestamp and key prefix. Accessible via GET https://api.crawlcrawl.com/v1/logs.
Daily and monthly caps enforced server-side via atomic transaction. Per-tier concurrent-run cap prevents queue monopolization.
Boot-time health verification. Automatic worker restart on crash (6-second recovery under live load). Daily snapshots; sub-day point-in-time recovery on the roadmap.
Email [email protected]. Acknowledgment within 72 hours. Coordinated disclosure preferred; credit given if requested.